Back to skill

Security audit

Library of Babel

Security checks across malware telemetry and agentic risk

Overview

This is a local Library of Babel math/demo skill with narrow codex file persistence and no evidence of network access, credential use, exfiltration, or destructive behavior.

Install only if you are comfortable with a local math/demo skill. The core lookup and page-generation functions do not need network access or credentials. Do not use add_to_codex with private or sensitive text unless you want that text and source label saved in codex.json.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation indicates file read and write capabilities through use of `codex.json`, but no corresponding permissions or warnings are declared. Undeclared persistence increases the risk of surprising side effects, especially in agent environments where users may assume the skill is purely computational and non-mutating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as deterministic and storage-free, yet it also reads and writes a local file and mentions randomness in a demo. This description-behavior mismatch can mislead users and orchestration systems about safety, reproducibility, and side effects, which is especially risky when agent routing depends on the declared purpose.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly says 'No database. No storage.' while later describing persistence to `codex.json`. Contradictory safety claims are dangerous because they can cause users or automated systems to trust the skill as side-effect free when it actually stores user-provided content locally.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest frames the skill as a deterministic mathematical engine with no storage, but the documentation includes a persistence feature for user data. This inconsistency weakens trust boundaries and can lead to unsafe deployment decisions, since the manifest is often used as the authoritative declaration of behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes immediately persisting user-provided content without warning that local data will be modified. Silent writes can expose sensitive user input to retention on disk and create auditability, privacy, and integrity concerns in environments where users expect ephemeral processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.